Documentation
¶
Index ¶
- Constants
- Variables
- func CheckSecretExists(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) (bool, error)
- func FindSecretsOwnedByObj(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) ([]corev1.Secret, error)
- func GetSecret(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) (*corev1.Secret, bool, error)
- func HandleRolloutRestarts(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, ...) error
- func HandleSecretHMAC(ctx context.Context, client ctrlclient.Client, validator vault.HMACValidator, ...) (bool, []byte, error)
- func OwnerLabelsForObj(obj ctrlclient.Object) (map[string]string, error)
- func RolloutRestart(ctx context.Context, namespace string, target v1beta1.RolloutRestartTarget, ...) error
- func SyncSecret(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, ...) error
- type SyncOptions
- type SyncableSecretMetaData
Constants ¶
const AnnotationRestartedAt = "vso.secrets.hashicorp.com/restartedAt"
AnnotationRestartedAt is updated to trigger a rollout-restart
Variables ¶
var OwnerLabels = map[string]string{
"app.kubernetes.io/name": "vault-secrets-operator",
"app.kubernetes.io/managed-by": "hashicorp-vso",
"app.kubernetes.io/component": "secret-sync",
}
OwnerLabels will be applied to any k8s secret we create. They are used in Secret ownership checks. There are similar labels in the vault package. It's important that component secret's value never intersects with that of other components of the system, since this could lead to data loss.
Make OwnerLabels public so that they can be accessed from tests.
Functions ¶
func CheckSecretExists ¶
func CheckSecretExists(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) (bool, error)
CheckSecretExists checks if the Secret configured on obj exists. Returns true if the secret exists, false if the secret was not found. If any error, other than apierrors.IsNotFound, is encountered, then that error will be returned along with the existence value of false.
See NewSyncableSecretMetaData for the supported types for obj.
func FindSecretsOwnedByObj ¶
func FindSecretsOwnedByObj(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) ([]corev1.Secret, error)
FindSecretsOwnedByObj returns all corev1.Secrets that are owned by obj. Those are secrets that have a copy of OwnerLabels, and exactly one metav1.OwnerReference that matches obj.
func GetSecret ¶
func GetSecret(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object) (*corev1.Secret, bool, error)
GetSecret
func HandleRolloutRestarts ¶
func HandleRolloutRestarts(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, recorder record.EventRecorder) error
HandleRolloutRestarts for all v1beta1.RolloutRestartTarget(s) configured for obj. Supported objs are: v1beta1.VaultDynamicSecret, v1beta1.VaultStaticSecret, v1beta1.VaultPKISecret Please note the following: - a rollout-restart will be triggered for each configured v1beta1.RolloutRestartTarget - the rollout-restart action has no support for roll-back - does not wait for the action to complete
Returns all errors encountered.
func HandleSecretHMAC ¶
func HandleSecretHMAC(ctx context.Context, client ctrlclient.Client, validator vault.HMACValidator, obj ctrlclient.Object, data map[string][]byte, ) (bool, []byte, error)
HandleSecretHMAC compares the HMAC of data to its previously computed value stored in o.Status.SecretHMAC, returning true if they are equal. The computed new-MAC will be returned so that o.Status.SecretHMAC can be updated.
Supported types for obj are: VaultDynamicSecret, VaultStaticSecret
func OwnerLabelsForObj ¶
func OwnerLabelsForObj(obj ctrlclient.Object) (map[string]string, error)
OwnerLabelsForObj returns the canonical set of labels that should be set on all secrets created/owned by VSO.
func RolloutRestart ¶
func RolloutRestart(ctx context.Context, namespace string, target v1beta1.RolloutRestartTarget, client ctrlclient.Client) error
RolloutRestart patches the target in namespace for rollout-restart. Supported target Kinds are: DaemonSet, Deployment, StatefulSet
func SyncSecret ¶
func SyncSecret(ctx context.Context, client ctrlclient.Client, obj ctrlclient.Object, data map[string][]byte, opts ...SyncOptions) error
SyncSecret writes data to a Kubernetes Secret for obj. All configuring is derived from the object's Spec.Destination configuration. Note: in order to keep the interface simpler opts is a variadic argument, only the first element of opts will ever be used.
See NewSyncableSecretMetaData for the supported types for obj.
Types ¶
type SyncOptions ¶
type SyncOptions struct {
// PruneOrphans controls whether to delete any previously synced k8s Secrets.
PruneOrphans bool
}
SyncOptions to provide to SyncSecret().
func DefaultSyncOptions ¶
func DefaultSyncOptions() SyncOptions
type SyncableSecretMetaData ¶
type SyncableSecretMetaData struct {
// APIVersion of the syncable-secret object. Maps to obj.APIVersion.
APIVersion string
// Kind of the syncable-secret object. Maps to obj.Kind.
Kind string
// Destination of the syncable-secret object. Maps to obj.Spec.Destination.
Destination *secretsv1beta1.Destination
}
SyncableSecretMetaData provides common data structure that extracts the bits pertinent when handling any of the sync-able secret custom resource types.
See NewSyncableSecretMetaData for the supported object types.
func NewSyncableSecretMetaData ¶
func NewSyncableSecretMetaData(obj ctrlclient.Object) (*SyncableSecretMetaData, error)
NewSyncableSecretMetaData returns SyncableSecretMetaData if obj is a supported type. An error will be returned of obj is not a supported type.
Supported types for obj are: VaultDynamicSecret, VaultStaticSecret. VaultPKISecret
Source Files